Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.
Published: 2026-02-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A heap use‑after‑free occurs in the RDPSND async playback thread of FreeRDP. When the audio channel is closed, the library continues to process queued packets after its internal state has been freed, corrupting heap memory and allowing an attacker to overwrite memory or execute arbitrary code through the rdpsnd_treat_wave routine.

Affected Systems

FreeRDP installations running any version prior to 3.22.0 are affected. The vulnerability is present in all builds that include the RDPSND component and has been fixed in the 3.22.0 release.

Risk and Exploitability

The vulnerability scores 8.7 on the CVSS scale and has an EPSS score of less than 1 %. It is not present in the CISA KEV catalog. Attackers can exploit it remotely by connecting to a vulnerable FreeRDP client or server, sending crafted audio packets after the channel has been closed. Successful exploitation would give the attacker the ability to execute code with the privileges of the FreeRDP process.

Generated by OpenCVE AI on April 17, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FreeRDP client or server to version 3.22.0 or later.
  • Restart the affected application after the update so the new code is loaded.
  • If an immediate upgrade is not possible, disable the RDPSND audio subsystem or the audio channel in the RDP configuration to eliminate the vulnerable code path temporarily.

Generated by OpenCVE AI on April 17, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8042-1 FreeRDP vulnerabilities
History

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Tue, 10 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Mon, 09 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.
Title FreeRDP has a Heap-use-after-free in play_thread
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T16:01:41.254Z

Reserved: 2026-01-23T20:40:23.389Z

Link: CVE-2026-24684

cve-icon Vulnrichment

Updated: 2026-02-10T15:39:57.419Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T19:15:50.057

Modified: 2026-02-10T15:02:32.033

Link: CVE-2026-24684

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-09T18:23:02Z

Links: CVE-2026-24684 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:30:28Z

Weaknesses